Phology Posted November 13, 2004 Share Posted November 13, 2004 cool Logfile of HijackThis v1.98.2Scan saved at 21:43:56, on 13/11/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\hphmon05.exeC:\HP\KBD\KBD.EXEC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\WINDOWS\system32\pcs\pcsvc.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\System32\avicap32.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exeC:\Program Files\Microsoft Money\System\mnyexpr.exeC:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb10.hpwis.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=9705R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT OpenworldR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = GILESDESKTOP:8080R3 - Default URLSearchHook is missingO2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exeO4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exeO4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exeO4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exeO4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exeO4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [bae5c3e65007] C:\WINDOWS\System32\avicap32.exeO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimizeO4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exeO4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...6/OCI/setup.exeO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exeO16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cabO18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll Quote Link to comment Share on other sites More sharing options...
Steve Posted November 13, 2004 Author Share Posted November 13, 2004 Right here we go. You have loads of spyware and nasty shit on your PC mate. It can all be removed if you follow these instructions carefully: - Firstly, press Contrl/Alt/Delete and end the following processes if they are running: - jusched.exepcsvc.exeqttask.exeavicap32.exemsnappau.exe Next, go to Add/Remove Programs and uninstall the MSN Toolbar. It's a major resource hog and you already have Google's toolbar which is much better. While you're there look for any programs that look like "MySearch", "MyWay", "MyBar" or "Delphin Project". If you see anything like that or very similar, also uninstall them. Next, run HijackThis again, do a scan and put a check mark next to all of the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb10.hpwis.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=9705R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT OpenworldR3 - Default URLSearchHook is missingO2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exeO4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exeO4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [bae5c3e65007] C:\WINDOWS\System32\avicap32.exeO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...6/OCI/setup.exeO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe Close ALL browser windows (IE etc) and hit Fix Checked. Reboot your PC into Safe Mode by tapping F8 as your PC is booting up. Select Safe Mode from the menu. When it's started, start Windows Explorer and click Tools - Folder Options. Then click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (UNchecked)Hide protected operating system files (UNchecked) Then hit Apply then OK. Now, search for the following files and folders on your machine and delete them if they exist (they may not): - C:\Program Files\MyWay C:\Program Files\MSN Apps C:\Program Files\Common files\updmgr\ C:\WINDOWS\system32\pcs\pcsvc.exe C:\WINDOWS\System32\IEHost.exe C:\WINDOWS\System32\avicap32.exe Next, run Disk Cleanup from the Start menu and empty all your temp files, including temporary Internet files and the recycle bin. Once you're done, reboot into regular Windows. Now, start IE and hit Tools - Internet Options - Programs (tab) - Reset Web Settings. Now go to the General tab and re-enter your desired homepage. Then hit Apply then OK. The next thing you should do is install a decent firewall. Download Sygate's free one from their site, or go on Suprnova and get the Pro version. Finally, your version of Sun's Java is out of date and is a security risk. Go to http://www.java.com and download the latest version. You should also check the Windows update site for any critical updates. Once you have done all that, you should notice your machine speeds up considerably, especially when browsing the net. You should consider installing service pack 2 for XP because it deals with a lot of the underlying issues that allow you to become infected with spyware, although installing the Sygate firewall will help. It's probably an idea to start using a different browser for the majority of sites. Check Dee's thread on Firefox in the DVKB. That's way more secure than IE for general browsing. Thank God that's over. My hands are aching now! Quote Link to comment Share on other sites More sharing options...
Steve Posted November 13, 2004 Author Share Posted November 13, 2004 Oh yeah - don't run HijackThis from the desktop. Create a folder for it and run it from there. It creates undo files then if something goes wrong. Quote Link to comment Share on other sites More sharing options...
Phology Posted November 13, 2004 Share Posted November 13, 2004 ur my hero!genius but no really thanks a lot man i wudnt know where to start wiv this shit Quote Link to comment Share on other sites More sharing options...
alkatrazz Posted November 30, 2004 Share Posted November 30, 2004 Hey sigma (hijack master) or anyone that can read this im helpin out a friend that i know has a few viruses on her computer but Im not sure how to go about it the best way.. Basically i dont wanna erase it if its going to mess up her computer just try to fix it up as much as possible Anyways heres her Log Logfile of HijackThis v1.97.7Scan saved at 9:18:11 PM, on 11/29/2004Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ubbwpt.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\jawa32.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\oiheyhi.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exeC:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exeC:\WINDOWS\Zosvs.exeC:\WINDOWS\offerDrv.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Common Files\GMT\GMT.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeC:\WINDOWS\System32\ScsiAccess.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\kbrrgqsu.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dllO1 - Hosts: 69.20.16.183 auto.search.msn.comO1 - Hosts: 69.20.16.183 search.netscape.comO1 - Hosts: 69.20.16.183 ieautosearchO2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dllO2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dllO2 - BHO: (no name) - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\system32\lmf32v.dllO3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dllO3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [ivojat] C:\WINDOWS\ivojat.exeO4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exeO4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [dlarcbl] C:\WINDOWS\oiheyhi.exeO4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXEO4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exeO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [iPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -lO4 - HKLM\..\Run: [iPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"O4 - HKLM\..\Run: [lzssybu] C:\WINDOWS\Zosvs.exeO4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exeO4 - HKLM\..\Run: [offerDrv.exe] "C:\WINDOWS\offerDrv.exe" 1099899689 1099900955 1101790827 14 9O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\aim\\DeadAIM.ocm",ExportedCheckODLsO4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exeO4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exeO4 - HKLM\..\Run: [jlaqvdz] C:\WINDOWS\system32\kbrrgqsu.exeO4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exeO4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXEO4 - HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exeO4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htmO9 - Extra button: AIM (HKLM)O9 - Extra button: Real.com (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)O9 - Extra button: WeatherBug (HKCU)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exeO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dllO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab she says thank you very much to whoever can help and a big kiss..... Quote Link to comment Share on other sites More sharing options...
Steve Posted November 30, 2004 Author Share Posted November 30, 2004 That's a pretty hideous mess mate. There are at least 4 viruses/trojans on there and possibly as many as 10. There's also several spyware infections, her homepage has been hijacked by zestyfind and her search page by zestzest. It's not beyond repair though! The first thing to do is get rid of some of the viruses. Press Control/Alt/Delete and end the following processes (if you can): - ubbwpt.exejawa32.exeoiheyhi.exeZosvs.exeofferDrv.exeGMT.exekbrrgqsu.exe Now, go to this web site and scan the machine for viruses. Make sure you tick the Auto-Clean option before the scan starts: - http://housecall.antivirus.com/housecall/start_frame.asp It will take some time to scan, but should remove some of the crap. The next thing to do is download Ad-aware from here: - http://download.com/3000-2144-10045910.htm...page&tag=button Install it, run it, update it and scan the PC and remove everything that it finds. The next program you need is Crap Cleaner (terrible name - great program): - http://www.ccleaner.com/ Install it and run it to clean up all the temporary internet files, other temp files and recycle bin then reboot the PC. Once the PC has started, don't start any programs at all except HijackThis. Do a scan and post the new log. I'll tell you where to go from there. Quote Link to comment Share on other sites More sharing options...
Steve Posted November 30, 2004 Author Share Posted November 30, 2004 Oh yeah - while you are there, go to Add/Remove Programs and remove the following if they exist: - AOL Instant Messenger VBouncer (may be listed as Virtual Bouncer) WeatherBug My Daily Horoscope Second Thought Also look for anything that contains the word "Ebates". This could be Web Savings From Ebates, Ebates Web Offer, Ebates_MoeMoneyMaker or something similar. If you see anything like that, uninstall it. Make sure you do these steps before posting the new log! Quote Link to comment Share on other sites More sharing options...
alkatrazz Posted November 30, 2004 Share Posted November 30, 2004 Allright sig thanks alot a lifesaver Ill tell her all that and ill try to post the log file when i stop by her place again tomorrow... But thanks alot bro Quote Link to comment Share on other sites More sharing options...
alkatrazz Posted November 30, 2004 Share Posted November 30, 2004 yea I dunno people when i tell them to get a antivirus dont listen and this is what happens but its cool but once again thanks again Quote Link to comment Share on other sites More sharing options...
Steve Posted November 30, 2004 Author Share Posted November 30, 2004 No problem. Some of the viruses will have arrived on her machine via email attachments that she's opened. She's also running no firewall or antivirus software. Not good really! If I wasn't looking at this for a mate, I'd probably suggest a reinstall, as the instructions might be lengthy! I don't mind helping you if you wanna go ahead with it all though. Once all the crap is removed and the registry is cleaned up, the log will be small and the PC should run well. I'll sort you some links for a decent firewall and antivirus program too. Quote Link to comment Share on other sites More sharing options...
Mixologist Posted December 2, 2004 Share Posted December 2, 2004 Hey Sigma, after i downloaded that ripper that was said to have adware, kaspersky caught everything and so did sygate, and everythings blocked ran ad-aware as well and it deleted a lot of it. Just checking to make sure nothing was missed, i was glad, how quickly kaspersky caught everything as soon as it opened, kasyspeky went crazy. it'd be great if you just checked this to make sure i didn't miss anything thank you. Logfile of HijackThis v1.98.2Scan saved at 8:34:31 PM, on 12/1/2004Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\windows\system\hpsysdrv.exeC:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exeC:\WINDOWS\System32\hphmon05.exeC:\HP\KBD\KBD.EXEC:\WINDOWS\LTMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\Multimedia Card Reader\shwicon2k.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\AIM\aim.exeC:\Documents and Settings\Jay\My Documents\Downloads\Hijack this\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dllO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exeO4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exeO4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exeO4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXEO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exeO4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exeO4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimizeO4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exeO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [bakra] C:\WINDOWS\system32\IEHost.exeO4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096569826187O17 - HKLM\System\CCS\Services\Tcpip\..\{B472A691-62EC-45B0-9D10-8A4B17F9177B}: NameServer = 209.198.87.24 209.198.87.40 Quote Link to comment Share on other sites More sharing options...
Mixologist Posted December 2, 2004 Share Posted December 2, 2004 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL damn i missed one, still haven't gotten around to getting the new java files liek you told me too 4 months ago lol Quote Link to comment Share on other sites More sharing options...
Steve Posted December 2, 2004 Author Share Posted December 2, 2004 These can go: - O4 - HKLM\..\Run: [bakra] C:\WINDOWS\system32\IEHost.exeO9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing) Delete the IEHost.exe file in the System32 folder once you've fixed it and that's about it. I notice you're running Avast and Kaspersky - don't have the active scanning of both switched on at the same time. Quote Link to comment Share on other sites More sharing options...
Mixologist Posted December 2, 2004 Share Posted December 2, 2004 oh damn, i didn't even now avast was running it wasn't supposed to be, i didn't evne know i had it lol, k thanks again Sigman Quote Link to comment Share on other sites More sharing options...
Huw Posted December 13, 2004 Share Posted December 13, 2004 could you please scan over this sig. it's been a while since i cleaned the computer! cheers.... Logfile of HijackThis v1.98.0Scan saved at 17:47:22, on 13/12/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton Internet Security\NISUM.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Microsoft Hardware\Keyboard\type32.exeC:\Program Files\Canon\BJPV\TVMon.exeC:\Program Files\Canon\BJCard\BJLaunch.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\E-Color\Common\IconMgr.exeC:\Program Files\E-Color\E-Color Indicator\TICIcon.exeC:\Program Files\Canon\BJCard\Bjmcmng.exeC:\WINDOWS\System32\drivers\CDAC11BA.EXEC:\Program Files\Norton Internet Security\ccPxySvc.exeC:\WINDOWS\System32\GEARSEC.EXEC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\PREVX\Prevx Home\PXAgent.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Documents and Settings\Tim\Desktop\Huw\Apps\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"O4 - HKLM\..\Run: [bJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exeO4 - HKLM\..\Run: [bJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXEO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28177.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/060fd34065efe5863d16/...ip/RdxIE601.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095701599281O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cabO16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...352/mcfscan.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{0E1863F1-1B19-4E66-BE5A-51BE41C21E8B}: NameServer = 195.92.195.94 195.92.195.95O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1863F1-1B19-4E66-BE5A-51BE41C21E8B}: NameServer = 195.92.195.94 195.92.195.95 Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted December 13, 2004 Share Posted December 13, 2004 Wow. It's hard to believe some of the shit you guys have got running! There's so much, it's unreal. Sifting through these would do my nut in, so props to Sig. Every time you guys install a program though, go into the options for that program and configure them, cause to me it always seems as though people install something and just forget about it. Ask yourselves... Does it need to check for updates constantly? Does it need to start up with Windows every time the PC is switched on?... common sense really. Strip it down to run the bare minimum, which should be a decent firewall and anti-virus. I suppose a shared machine is more difficult to keep it in check, but if you're the only user there's no excuse but to not keep it clean, if you care at all. Quote Link to comment Share on other sites More sharing options...
Steve Posted December 13, 2004 Author Share Posted December 13, 2004 Huw - There's nothing in there worth worrying about, but you could tidy it up a bit. As Dee said, if you don't need a program starting when you boot your PC then disable it, otherwise it's running constantly. Any program can be started from a shortcut or the Start menu. I would uninstall the MSN toolbar. It's a piece of shit! If you want a search bar with a few extra functions then go for the Google toolbar. The msnappau.exe file related to MSN runs constantly and is a notorious resource hog - it's been known to max out people's CPUs before now. You could also disable iTunes from starting when you boot and a couple of other things. Just look in the system tray at the icons and you'll be able to configure most programs by right clicking or double left clicking them. You have a lot of stuff running, but most of it is related to your keyboard, mouse and printer. Disabling any of it might cause you problems so it's best left alone. Quote Link to comment Share on other sites More sharing options...
Huw Posted December 14, 2004 Share Posted December 14, 2004 cheers sig. yeah there is a lot of shit, but i share the computer with the family, so they usually download stuff and forget about it, or simply don't know how to stop it starting up when booting. i'll uninstall the msn toolbar, i presume it just came with msn... Quote Link to comment Share on other sites More sharing options...
Infinite Posted January 13, 2005 Share Posted January 13, 2005 I've run spybot and deleted everything there but im still getting a pop-up whenever I initially open my internet browser. Here's the Hijack This logfile: Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\netdde.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\system32\carpserv.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Creative\Surround Mixer\CTSysVol.exeC:\WINDOWS\system32\RunDll32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Soulseek\slsk.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.man.ac.uk/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exeO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [sbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitorO4 - HKLM\..\Run: [scratchAmp] C:\Program Files\Music and Sound\FinalScratch\Traktor FS 2\FinalScratchDrivers\FinalScratch\ScratchAmpControl.exeO4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.htmlO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exeO23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted January 13, 2005 Author Share Posted January 13, 2005 Right mate, I can see what's causing it. Go into Add/Remove Programs and see if there's something called 'FTApp', 'flt', 'FlashTrack Uninstall' or 'FT remove' and uninstall it. That won't do the full trick, but it will help. Whether there is something in Add/Remove like that or not, reboot your PC and as soon as it boots, get a log before you start any other programs at all - it has to be done right after a fresh reboot. Then post it up and I'll tell you exactly what to do. Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted January 13, 2005 Share Posted January 13, 2005 Just a thought -- you can disable the ATI services if you go to Control Panel > Administrative Tools > Services. Once you're there, double click the ATI services (2 of them), and set them to "disabled". You can still access your graphics card driver settings by right-clicking the desktop, choosing Properties > Settings > Advanced. No need for those services using up extra resources. Quote Link to comment Share on other sites More sharing options...
Infinite Posted January 13, 2005 Share Posted January 13, 2005 OK Here's the result: Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeC:\WINDOWS\system32\carpserv.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Creative\Surround Mixer\CTSysVol.exeC:\WINDOWS\system32\RunDll32.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\netdde.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.man.ac.uk/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exeO4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exeO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [sbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitorO4 - HKLM\..\Run: [scratchAmp] C:\Program Files\Music and Sound\FinalScratch\Traktor FS 2\FinalScratchDrivers\FinalScratch\ScratchAmpControl.exeO4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.htmlO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEO23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exeO23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe There was no 'FTApp', 'flt', 'FlashTrack Uninstall' or 'FT remove' in add/remove programs BTW. As for the ATI services, they don't seem to be on services either, I think they have their own control panel. Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted January 13, 2005 Share Posted January 13, 2005 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Quote Link to comment Share on other sites More sharing options...
Infinite Posted January 13, 2005 Share Posted January 13, 2005 Okay I removed that along with O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dllbastardo pop-up continues though Quote Link to comment Share on other sites More sharing options...
Steve Posted January 13, 2005 Author Share Posted January 13, 2005 It's the fen.dll thing that's doing it, but it reappeared because you didn't remove the fecpy.exe file that runs when you boot your PC and reinstalls the spyware. Anyway, first off I would advise you to remove Spybot. It's a pile of crap to be honest. Then run HijackThis again and check off the following (The 2 entries relating to Spybot may not show up after it's been uninstalled - don't worry if they don't): - O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll O4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Reboot your PC into Safe Mode by tapping F8 as the machine boots. Search for and delete the following: - c:\Program Files\Fen C:\Program Files\Common Files\Java\fecpy.exe You might need to enable hidden files to see those. That should be the end of your popup woes anyway. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.